OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Lysel Christian Emre (chlysWMDATA.COM)
Date: Sat Mar 24 2001 - 10:55:29 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    1. Problem Description

            The Raptor firewall is vulnerability for forwarding http
            request on other port numbers than 80, if a rule allows http
            traffic.

            Redirect rules does not affect this problem.

            When an extern or internal client, configures itself to use
            the nearest interface as proxy, it's possible to access other
            ports that 80 on the target host.

            Only the http protocol is allowed and only to a range of TCP
            ports:

                    TCP, 79-99 and TCP, 200-65535.

            If a port outside this range is targeted, an Alert
            will be issued.

            An example of what is vulnerability could be used for:

                    Setting a Raptor firewall up, allowing Universe to
                    access a local web server (host: webserver), listening
                    on port 80 (normal website) and 2000 (admin
                    site). This would give external users access to the
                    admin site listening on port 2000, if the client is
                    configured to use the external interface as a proxy
                    server (for lynx: "export http_proxy =
                    http://external-interface:80/ ; lynx
                    http://webserver:2000/").
            
            This works not only for external users, but also for internal
            users.

            Testing of the Secure Socket Layer has not been performed.

    2. Vulnerable Versions

            Raptor firewall 6.5.

    2.1 Non Vulnerable Versions

            Raptor firewall 6.0.2.
            Older versions, not tested.

    3. Solution

            1. Use httpd.noproxy in the affected rule.

            2. Downgrade to version 6.0.2

            3. Apply hotfix SG6500-20000920-00 and SG6500-20001121-00,
            
    ftp://ftp.axent.com/pub/RaptorFirewall/Patches/6.50/Internal/http-int.zip

              Hot Fix SG6500-20000920-00 9/20/2000

              if client uses firewall as proxy, firewall will forward
              request to ports other than 80 on server. this vulnerability
              is fixed by closing all ports for proxy except 80 and port
              specified by httpd.allow_proxy_to_port_xxx=1.

              Hot Fix SG6500-20001121-00 11/21/2000

              this hotfix removes the implementation of
              httpd.allow_proxy_to_port_xxx. Without this implementation,
              firewall could be used as proxy to access (inbound and
              outbound) http ports other than 80.

    3.1 Workaround:

            1. Disable the http proxy, and use the TCP proxy. But this
            will introduce other security concerns.

            2. Disable other listeners at the webserver.

    4. References

            Found by:

            Benny Amorsen, benny_amorsenhp.com and
            Christian E. Lysel, chlyswmdata.com

            Reported to Axent the 29th Aug 2000.

    --
    Christian E. Lysel, Senior Security Consultant,
    WM-data Infra Solutions eCom, Lautrupvang 10, DK - 2750 Ballerup
    Phone +45 44 78 40 00, Mob +45 44 78 40 29, Fax +45 44 78 40 04